Re:最终位置再保险(CVEPRI):处理由史蒂夫Christey漏洞的新唱片了

*马库斯·j·Ranum (mjr@NFR.NET)[000922 19:18): > >的现实情况是,互联网是自我满足的>最大的机会和财富>代过可用技术>倾向的人。因此,它不应该很难通过参与活动> >寻求自我满足和财富_positive_和_responsible_。如果你想别人>尊重你的技术技能:创造。如果你想别人>尊重你的智慧:教育。如果你想让人们_LIKE_ >你:保卫他们,帮助他们,培养他们。这正是充分披露。它教育人们对安全,安全漏洞的细节和捍卫他们反应迟钝的供应商。>有一些可行的替代品,我向他们>如有其他,冷静。我相信,考虑到加入这个列表>,你欠你自己的知识>诚实承认。他们可能不会选择你_LIKE_ >但不喜欢他们不让他们不能存活。 Feel free to point them out to me. I've not had the pleasure of listening to your talks on the subject. What I've heard has been second hand comments and news reports, and none of them mentioned you proposing any alternatives. Your personal web site seems to be down and I've not found anything on the NFR web site related to the topic. You certainly haven't mentioned any on this message thread. Please, enlighten me. > My position has consistently been that people must take > responsibility for the consequences of their actions. I think > most civilized people will agree that's a necessity for a > functioning society. > - Individuals/companies who discover damaging things need to > manage the process of getting them fixed responsibly > - Individuals/companies who discover damaging flaws (or are > told about damaging flaws) in their products need to manage > the process of getting them fixed responsibly. Sure. We are in agreement so far. > Lots of offended hackers do not understand my position because > they are emotionally reacting to the piece that applies to _them_, > which is understandable but not particularly helpful. I have said > many times that _VENDORS_ need to be held accountable for flaws > in their stuff!!! I have said many times that UCITA is a terrible > thing because it will perpetuate a dangerous status quo. I have > said many times that _HACKERS_ need to be held accountable for > the way in which they disseminate vulnerability information. And how exactly are you proposing of holding them accountable? > Aleph, You've taken ad hominem shots at me implying that because > I love money and sell a product, I'm also "helping myself." That's > true, but I'm not helping myself at the expense of someone else. > Back when I was building firewalls at TIS I discovered a flaw > in a competitor's product. Did I publicize it? I called their > product manager and made sure it got fixed in the next release. > Did I make money from that? No. There are an infinity of fun, > attractive, valuable ways to make money - there's no need to > look at the negative side of things when the opportunity to be > positive is so _HUGE_. I've done no such thing. I've simply pointed out the fallacy in what I believed was your statement claiming vulnerability information has no tangible value by showing that it has value to your company and product. I in no way implied that you are helping yourself to anything. So for anyone that misinterpreted my comment let me state here, that was not its meaning. I am sorry if you somehow feel offended. That was certainly not my intension. > I have. First listen, then talk. Show them to me. Give me a URL or some reference to these proposed solutions. > I don't think things are particularly good right now. Only > someone who was practicing deliberate self-deception would > think the situation has improved. If you read, for example, > CERT's statistics: the number of security break-ins can > be charted on a graph that bears an amazing resemblance to > Cisco's stock price: going up rapidly with no end in sight. > If you read CSI's statistics, the amount of measured lossage > due to security problems is increasing equally rapidly. You must own a copy of "How to Lie With Statistics". While you are indeed correct that the total number of incidents has grown the Internet itself has grown at a faster rate. Its my firm belief that the total *percentage* of vulnerable hosts on the Internet has gone down. If you haven't already, I suggest you read "An Analysis Of Security Incidents On The Internet 1989-1995" by John D. Howard. <http://www.cert.org/research/JHThesis/Start.html>查看的结论。>我唯一可以看到的好转在过去几年是这是一个好时机是一个“灰色的帽子”的黑客。>他们可以做所有的东西,“黑帽”但>支付了很多钱,成为媒体明星。事实上,他们>可以拧的手,说“没有选择。”>The reality is that there's an alternative; > SPEND YOUR TIME BUILDING THINGS INSTEAD OF DESTROYING THEM > Or is that too obvious? The basic flaw in your argument is that you equate destroying things with "bad". I guess Consumer Reports should go out of business. Whether you like it or not society needs people that try to break things. Sometimes thats the only way to make them better. > While I understand your defensive attitude, I don't think > it strengthens your position or makes your viewpoint seem > any more attractive. Consider that. Hardly defensive. There is no need for me to defend what can't be attacked. This conversation reminds me of a bunch of old men shouting that a storm is coming yet not being able to do anything to stop it. > mjr. > ----- > Marcus J. Ranum > Chief Technology Officer, Network Flight Recorder, Inc. > Work:http://www.nfr.net>个人:http://www.ranum.com——伊莱亚斯利维SecurityFocus.comhttp://www.securityfocus.com/如果那么,对位小独木船